API Clients and Permissions
API clients control access to the Registration API. The features applied to an API client manage the base level of read and write access it will have to user records and application management functionality. Additional access control can be put in place by using client access schemas.
Client Feature Sets
The following features may be set for an API client. If client features are not set on creation, they can be added or updated through the Console or using the Configuration APIs.
|access_issuer||This type of client has permission to issue access tokens scoped for use with all clients.|
|direct_access||This type of client has read and write access to all user records using the client ID and secret.|
|direct_read_access||This type of client has read access to all user records using the client ID and secret.|
|login_client||This type of client is scoped with read and write access to only the currently authenticated user. It can only be used with sign-in and registration based API endpoints. All client-side API calls should be made using a client with this feature.|
This type of client will not update the lastUpdated attribute when posting updates to a user record. This client feature set is commonly used with third-party integrations. This type of client can only be provisioned by the Akamai team.
Note. Do not update a client with the metadata feature through the Console - this will remove the feature and may cause unexpected results.
|owner||This type of client has complete admin access to the application. The application owner credentials should only be used for administrative configuration purposes, such as provisioning additional API Clients, updating client settings, and managing your schema.|
Client Access Schemas
API clients can also be restricted with read or write access to a subset of specific attributes within an entity type. Custom access schemas are commonly used for integrations with third-party applications. This allows controlled access to the user database based on the attributes that an application needs access to. This is configured on a per-client basis using the /entityType.setAccessSchema endpoint.
This diagram provides some more context about how authorization can be managed for API clients. Integrations with other systems such an Email Service Provider, Ad Server, or CRM make use of API clients can query the database and receive result sets used for data synchronization or data analysis efforts. Each of these clients can be granted access to only the attributes needed to support their specific business need as opposed to providing access to the whole record.
Within the diagram:
- The API Client assigned to the Email Service Provider only has access to the user’s email address, first name, and opt-ins.
- The API Client assigned to the Ad Server only has access to the user’s DOB and gender.
- The API Client assigned to the Recommendation Engine only has access to the user’s Interests.